The story so far: On April 16, reports emerged that LockBit ransomware was found to be targeting Mac devices, in a first. Cybercriminals have developed new ransomware encryptors designed to target macOS devices, making this the first major ransomware operation to specifically target Apple computers. The new encryptors target both older Macs and newer ones running on Apple Silicon.
Earlier in January, the LockBit gang was reportedly behind a cyber-attack on U.K. postal services, causing international shipping to grind to a halt.
What is LockBit ransomware?
First reported in September 2019 and dubbed the “abcd” virus, due to the file extension used when encrypting victim’s files, the LockBit ransomware is designed to infiltrate victims’ systems and encrypt important files. The virus is categorised as a “crypto virus” due to its requests for payment in cryptocurrency to decrypt the files on the victim’s device.
The ransomware is therefore typically deployed against victims who feel hindered enough by the disruption to pay heavy sums in exchange for access and can afford to do so.
The gang behind the LockBit ransomware reportedly maintains a dark web portal to recruit members and release data of victims who refuse to meet their demands, as part of their business model. In the past, LockBit ransomware has been used to target enterprises and organisations in the U.S., China, India, Ukraine, and Indonesia. Attacks have also been recorded throughout Europe, including in France, Germany, and the U.K.
Why is LockBit targeting macOS?
Historically, ransomware has targeted Windows, Linux, and VMware ESXi servers. However, the LockBit is now working to create encryptors targeting Macs for the first time, a report from BleepingComputer said.
Analysis of the encryptors revealed they were put together as a test, rather than an actual ready-to-use ransomware. Experts believe that, after launching multiple attacks across Europe and Asia, the gang is developing tools to target macOS and further increase the scope of attacks to bring in more financial gains for the operation.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
How does LockBit ransomware work?
It works as a self-spreading malware, not requiring additional instructions once it has successfully infiltrated a single device with access to an organisational intranet. It also known to hide executable encryption files by disguising them in the .PNG format, thereby avoiding detection by system defences.
Attackers use phishing tactics and other social engineering methods to impersonate trusted personnel or authorities to lure victims into sharing credentials. Sometimes, the ransomware has also used brute force to gain access to the intranet server and network of an organisation.
Once it has gained access, the ransomware prepares the system to release its encryption payload across as many devices as possible. It then disables security programs and other infrastructures that could permit system data recovery. The goal is to ensure that data recovery without assistance from the LockBit gang is impossible.
Once this is ensured, the ransomware places an encryption lock on all system files, which can only be unlocked via a custom key created by the LockBit gang. The process leaves behind a ransom note, with instructions to restore the system, and has reportedly also included threatening blackmail messages.
Victims are then left with no choice but to contact the LockBit gang and pay up for the data, which the gang may sell on the dark web - whether the ransom is paid or not.
What is the LockBit ransomware gang?
The group behind this is known as the LockBit gang. It is considered the most prolific ransomware group ever. It operates on the ransomware-as-a-service (Raas) model and comes from a line of extortion cyberattacks.
In this model, willing parties put down a deposit for use in a custom attack and make profits through the ransom payment. The ransom is divided between the LockBit developer team and attacking affiliates, who receive up to three-fourths of the ransom, cybersecurity company Kaspersky revealed in a blog post.
Though the exact location of the gang is yet to be ascertained, their attack patterns and propensity to avoid attacking Russian systems or countries within the Commonwealth of Independent States (CIS) suggest the group operates within its territories, and that it avoids these countries to escape prosecution.
What actions have authorities taken?
Due to its ransomware-as-a-service model, the LockBit gang has been on the authorities’ radar for some time. In November 2022, a dual Russian and Canadian national with suspected links to the gang was arrested, in Ontario, Canada for his alleged involvement in attacks targeting critical infrastructure and large organisations. The arrest came after similar action was taken in Ukraine, in October 2021, a report from TechCrunch said.
A press release from the U.S Department of Justice notes that LockBit has claimed at least 1,000 victims in the United States, extracting millions of dollars in the process.
How to protect systems against the LockBit ransomware?
While there are no fool-proof ways of protecting against ransomware attacks, organisations and individuals can take certain steps to increase resilience against such cyber threats.
The use of strong passwords, with strong variations of special characters which are not easy to guess along with multi-factor authentication should be implemented. This ensures the use of brute force will not be enough to compromise systems. Organisations can also undertake training exercises to educate employees on the use of phishing attacks and their identification.
Old and unused user accounts should be deactivated and closed as they can become weak links in the security apparatus. Additionally, organisations and individuals should have an understanding of cybersecurity threats and vulnerable points that may be exploited by cybercriminals.
- Cybercriminals have developed new ransomware encryptors designed to target macOS devices, making this the first major ransomware operation to specifically target Apple computers.
- The gang behind the LockBit ransomware reportedly maintains a dark web portal to recruit members and release data of victims who refuse to meet their demands, as part of their business model. The virus is categorised as a “crypto virus” due to its requests for payment in cryptocurrency to decrypt the files on the victim’s device.
- While there are no fool-proof ways of protecting against ransomware attacks, organisations and individuals can take certain steps to increase resilience against such cyber threats.